liminfo

OpenSSL Reference

Free reference guide: OpenSSL Reference

27 results

About OpenSSL Reference

The OpenSSL Reference is a searchable command-line cheat sheet covering the most essential OpenSSL operations for certificate management, cryptographic key generation, encryption/decryption, hashing, TLS protocol testing, and certificate verification. Each entry includes the exact command syntax with practical examples that can be copied and used directly in a terminal.

Certificate operations cover self-signed certificate generation (req -new -x509), CSR creation (req -new), certificate inspection (x509 -text), validity date checking (x509 -dates), and PKCS#12 export. Key generation includes RSA keys (genrsa with 2048/4096 bits and optional AES-256 encryption), EC keys (ecparam -genkey with prime256v1), Ed25519 keys (genpkey), public key extraction (rsa -pubout), and key validation (rsa -check).

Encryption covers AES-256-CBC symmetric encryption/decryption (enc) and RSA public-key encryption/decryption (rsautl). Hashing and signing operations include SHA-256, SHA-512, and MD5 digests (dgst) plus private key signing and public key signature verification. TLS protocol tools cover s_client connection testing, s_server, certificate chain display (showcerts), and cipher suite listing. Verification commands handle certificate chain validation, fingerprint extraction, CSR verification, and CRL inspection.

Key Features

  • Certificate management: self-signed generation, CSR creation, x509 inspection, validity dates, and PKCS#12 export with exact command syntax
  • Key generation commands: RSA (2048/4096-bit, encrypted), EC prime256v1, Ed25519, public key extraction, and key validation
  • Symmetric encryption: AES-256-CBC file encryption and decryption with password-based key derivation
  • RSA asymmetric encryption: public key encryption (rsautl -encrypt) and private key decryption (rsautl -decrypt)
  • Hashing and digital signatures: SHA-256, SHA-512, MD5 digest computation, private key file signing, and public key signature verification
  • TLS protocol testing: s_client server connection, s_server, full certificate chain display (showcerts), and cipher suite enumeration
  • Certificate verification: chain validation (verify -CAfile), SHA-256 fingerprint extraction, CSR verification, and CRL inspection
  • Copy-paste ready commands with real-world file paths and output examples for immediate terminal use

Frequently Asked Questions

How do I generate a self-signed SSL certificate with OpenSSL?

Run: openssl req -new -x509 -days 365 -key private.key -out cert.pem -subj "/CN=example.com". This creates a self-signed certificate valid for 365 days using an existing private key. If you do not have a key yet, first generate one with "openssl genrsa -out private.key 2048". For production use, generate a CSR instead and have it signed by a Certificate Authority.

How do I generate RSA, EC, and Ed25519 keys?

RSA: "openssl genrsa -out private.key 2048" (or 4096 for higher security, add -aes256 for encryption). EC: "openssl ecparam -genkey -name prime256v1 -out ec_private.key". Ed25519: "openssl genpkey -algorithm ed25519 -out ed25519_private.key". Extract the public key from any of these with "openssl rsa -in private.key -pubout -out public.key" (or pkey for EC/Ed25519).

How do I encrypt and decrypt files with AES-256?

Encrypt: "openssl enc -aes-256-cbc -salt -in plain.txt -out encrypted.bin -pass pass:mypassword". Decrypt: "openssl enc -aes-256-cbc -d -in encrypted.bin -out decrypted.txt -pass pass:mypassword". The -salt flag adds randomness to prevent dictionary attacks. For RSA encryption of small files, use "openssl rsautl -encrypt -pubin -inkey public.key -in plain.txt -out encrypted.bin".

How do I test a TLS connection to a server?

Run: "openssl s_client -connect example.com:443 -servername example.com". This establishes a TLS handshake and displays the server certificate, certificate chain, TLS version, and cipher suite. Add -showcerts to display the full certificate chain. Use "openssl ciphers -v TLSv1.3" to list available cipher suites for a specific protocol version.

How do I verify a certificate chain?

Run: "openssl verify -CAfile ca.pem cert.pem". This verifies that cert.pem was signed by the CA certificate in ca.pem and the chain is valid. For fingerprint extraction: "openssl x509 -fingerprint -sha256 -in cert.pem -noout". To check expiration dates: "openssl x509 -in cert.pem -dates -noout" shows notBefore and notAfter timestamps.

How do I create and verify digital signatures?

Sign a file: "openssl dgst -sha256 -sign private.key -out signature.bin file.txt". Verify: "openssl dgst -sha256 -verify public.key -signature signature.bin file.txt" which outputs "Verified OK" on success. Digital signatures use SHA-256 hashing combined with RSA/EC private key signing to ensure both integrity and authenticity.

What is the difference between a CSR and a self-signed certificate?

A CSR (Certificate Signing Request) is generated with "openssl req -new" and sent to a Certificate Authority (CA) for signing, resulting in a publicly trusted certificate. A self-signed certificate (req -new -x509) is signed by its own private key and is not trusted by browsers by default. Use CSRs for production websites; self-signed certificates are suitable for development, testing, and internal services.

Is this OpenSSL reference free?

Yes, this reference is completely free with no usage limits, no account required, and no software installation needed. It covers 28 essential OpenSSL commands across certificates, key generation, encryption, hashing, TLS protocol, and verification. All data is processed locally in your browser. It is part of liminfo.com's free online security and DevOps tool collection.